https://bugs.gentoo.org/472584
http://rt.openssl.org/Ticket/Display.html?id=2387&user=guest&pass=guest

fix verification handling in s_client.  when loading paths, make sure
we properly fallback to setting the default paths.

--- openssl-1.0.2/apps/s_client.c
+++ openssl-1.0.2/apps/s_client.c
@@ -1337,7 +1337,7 @@
 
     SSL_CTX_set_verify(ctx, verify, verify_callback);
 
-    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
+    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) &&
         (!SSL_CTX_set_default_verify_paths(ctx))) {
         /*
          * BIO_printf(bio_err,"error setting default verify locations\n"); 
